<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>SSLHandshakeException causes connections to fail | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'trb-security-sslhandshake.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/trb-security-sslhandshake.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/trb-security-sslhandshake.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/trb-security-sslhandshake.html" rel="nofollow" target="_blank">../en/trb-security-sslhandshake.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="security-troubleshooting.html">Troubleshooting security</a></span>
»
<span class="breadcrumb-node">SSLHandshakeException causes connections to fail</span>
</div>
<div class="navheader">
<span class="prev">
<a href="trb-security-maccurl.html">« Certificate verification fails for curl on Mac</a>
</span>
<span class="next">
<a href="trb-security-ssl.html">Common SSL/TLS exceptions »</a>
</span>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="trb-security-sslhandshake"></a>SSLHandshakeException causes connections to fail<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/troubleshooting.asciidoc">edit</a>
</h2>
</div></div></div>
<p><span class="strong strong"><strong>Symptoms:</strong></span></p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
A <code class="literal">SSLHandshakeException</code> causes a connection to a node to fail and indicates
that there is a configuration issue. Some of the common exceptions are shown
below with tips on how to resolve these issues.
</li>
</ul>
</div>
<p><span class="strong strong"><strong>Resolution:</strong></span></p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">java.security.cert.CertificateException: No name matching node01.example.com found</code>
</span>
</dt>
<dd>
<p>Indicates that a client connection was made to <code class="literal">node01.example.com</code> but the
certificate returned did not contain the name <code class="literal">node01.example.com</code>. In most
cases, the issue can be resolved by ensuring the name is specified during
certificate creation. For more information, see <a class="xref" href="ssl-tls.html" title="Setting up TLS on a cluster">Setting up TLS on a cluster</a>. Another scenario is
when the environment does not wish to use DNS names in certificates at all. In
this scenario, all settings in <code class="literal">elasticsearch.yml</code> should only use IP addresses
including the <code class="literal">network.publish_host</code> setting.</p>
</dd>
<dt>
<span class="term">
<code class="literal">java.security.cert.CertificateException: No subject alternative names present</code>
</span>
</dt>
<dd>
<p>Indicates that a client connection was made to an IP address but the returned
certificate did not contain any <code class="literal">SubjectAlternativeName</code> entries. IP addresses
are only used for hostname verification if they are specified as a
<code class="literal">SubjectAlternativeName</code> during certificate creation. If the intent was to use
IP addresses for hostname verification, then the certificate will need to be
regenerated with the appropriate IP address. See <a class="xref" href="ssl-tls.html" title="Setting up TLS on a cluster">Setting up TLS on a cluster</a>.</p>
</dd>
<dt>
<span class="term">
<code class="literal">javax.net.ssl.SSLHandshakeException: null cert chain</code> and <code class="literal">javax.net.ssl.SSLException: Received fatal alert: bad_certificate</code>
</span>
</dt>
<dd>
<p>The <code class="literal">SSLHandshakeException</code> indicates that a self-signed certificate was
returned by the client that is not trusted as it cannot be found in the
<code class="literal">truststore</code> or <code class="literal">keystore</code>. This <code class="literal">SSLException</code> is seen on the client side of
the connection.</p>
</dd>
<dt>
<span class="term">
<code class="literal">sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target</code> and <code class="literal">javax.net.ssl.SSLException: Received fatal alert: certificate_unknown</code>
</span>
</dt>
<dd>
<p>This <code class="literal">SunCertPathBuilderException</code> indicates that a certificate was returned
during the handshake that is not trusted. This message is seen on the client
side of the connection. The <code class="literal">SSLException</code> is seen on the server side of the
connection. The CA certificate that signed the returned certificate was not
found in the <code class="literal">keystore</code> or <code class="literal">truststore</code> and needs to be added to trust this
certificate.</p>
</dd>
<dt>
<span class="term">
<code class="literal">javax.net.ssl.SSLHandshakeException: Invalid ECDH ServerKeyExchange signature</code>
</span>
</dt>
<dd>
<p>The <code class="literal">Invalid ECDH ServerKeyExchange signature</code> can indicate that a key and a corresponding certificate don’t match and are
causing the handshake to fail.
Verify the contents of each of the files you are using for your configured certificate authorities, certificates and keys. In particular, check that the key and certificate belong to the same key pair.</p>
</dd>
</dl>
</div>
</div>
<div class="navfooter">
<span class="prev">
<a href="trb-security-maccurl.html">« Certificate verification fails for curl on Mac</a>
</span>
<span class="next">
<a href="trb-security-ssl.html">Common SSL/TLS exceptions »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>